Tag Archives: Security

Mar 16

-

Let’s face it, unexpected outages are the biggest cost you’ll never expect to pay. According to the Consulting group Gartner, only 35% of small to medium sized businesses have a disaster recovery plan of any type. This is a staggering statistic considering the cost of downtime is averaged at $84,000 – $90,000 per hour for SMB and a whopping $1.25b – $2.5b for large businesses. These statistics are not hard to find. Anyone who reads the latest trade mags can find this data online or in publication.

With these kinds of numbers facing businesses, how does an SMB leader overcome it?

The answer is face it, don’t avoid it. There is some good news however.

New innovations combining Shadow Copy, Virtualization and Cloud allow for some decently priced solutions that add resiliency from disaster and scale with business growth.

By combining your backup and DR, your business can create a comprehensive recovery system that will help protect you from outages due to virus attacks, data corruption, hardware failure and even full site failure. Companies that specialize in these solutions will install an appliance at your location that acts as the backup and DR device. The device starts by creating virtual image of your servers. In the event of an outage, that virtual image can be activated allowing a temporary virtual server to run from the DR appliance independent of the original server. Through snapshot technologies, changes in data at the block level are captured and applied to that virtual image. This allows you to stand up that virtual machine as it was at any give time within the backup frequency. These snapshots can be taken every 5 minutes or every day depending on the amount of data you can afford to lose.

This acts as revision control and near real-time backup.

What if the DR appliance fails? Well, that’s were the Cloud comes in. The DR providers configure their appliances to trickle feed the backup data to their data centers over a secure connection. Typically a VPN or private line is established in advance to a segmented part of the providers network which allows fast, secure off-site transmission of your backup data and also the ability to stand up the virtual recovery server in the Cloud. This allows you to resume operations from anywhere in the world.

If the device fails for some reason, the provider already has the data and will ship a replacement appliance overnight that is pre-configured and has all your data on it.

This may sound like an expensive solution, but it’s surprisingly affordable. A typical cost for a solution like this for a 250GB server is around $400-$800 per month. That’s less expensive than the cost of a tape drive with support, Enterprise backup software with support, loads of expensive tapes, someone’s labor to validate and test backups regularly and a secure way to transfer the offsite. Not to mention the extra DR capability you gain. Also, snapshot technologies have no restrictions by application type, file locks or file in use so the backups are much more reliable.

Combining your Backup and Disaster Recovery in this way can save you a lot of money and productivity loss from downtime. Any businesses that are still using tape backups or considering the cost of replicating their entire environment to a remote location (thereby doubling their capital costs) should consider a solution like this.

CBC Solutions is a holistic consulting company whose mission is to help businesses reduce risk and manage costs. We do this by assessing your environment with our expert team of IT veterans, then aligning best in breed providers from our extensive partner network with your business goals.

Contact CBC Solutions today to see how we can help!

CBC Solutions
info@cbcsolutions.biz
619-784-5211
www.cbcsolutions.biz

02

Jul 15

-

I was in a networking group once where we had to go around the room and describe what makes us different than our [sometimes larger] competitors. Although all of us were from different industries, virtually everyone’s value proposition could be summed up into one word. Trust!

When I was a kid, I learned that trust had to be earned. I still believe that today. The question is, how do you trust someone to advise you on something you don’t understand?

I have advisors for Marketing, Insurance and Taxes. Not subjects I went to school for, nor do I profess to be an expert in any of them. However, I do consider myself good judge of character and being an advisor myself, I know what it takes to earn trust.

Results Matter
No one can talk about trust without considering results. Obviously that’s number one. A good trusted advisor will help you develop goals on which to measure success. My marketing advisor develops goals to measure hit count on my website, conversion rates, new sales leads, etc. With my Tax guy, it’s how he manages my deductibles and how susceptible am I to an audit. My Insurance agent makes sure I have the coverage I need. She’s not the cheapest in the world (and she tells me that), but she’s upfront and makes a real effort to understand my needs.

The point is, to measure results, the proper goals need to be set and you should be able to gauge how well you do in achieving them. It goes beyond ‘under promise – over deliver’. Anyone can under promise. Goals should be realistic. It’s also not as important to hit them on the first throw as much as how you can change up the game if you miss your target or don’t get the results you want.

Communication
One of the best value principals of a good advisor is communication. The advisors I trust are the ones who give it to me straight. In sales, we’re taught to tell the customer what they want to hear. Advisors are here to tell us what we need to hear. It may not always be good news, but if you need to hear it, it’s valuable.

Time is Money
Once you find an advisor you trust, how much time do you spend validating their work? If your advisor gives you a quote, do you look for a better one? Maybe, if the time it takes to shop doesn’t exceed the amount of money you might save on the their offer. However, I’ve seen people spend 10 hours to save $100. Not my favorite approach.

Disclosure
Ultimately, the best people I trust are the ones that are forthcoming about their commission rates, competitor pricing, markups and wholesale costs. That doesn’t mean they have to volunteer all that information, just that they’re honest about what they’re making on the deal and how much risk they’re assuming. Not everyone can do this, but the ones who can, usually earn my trust pretty quick.

Dedication
When you have an advisor you really trust, nurture that relationship. They will usually be there in a pinch when you need them most.

I’m not personally a strong believer in the 80/20 rule. At least not in the ways it’s used in sales. The most common translation I see is to focus 80% of your time on the top 20% of your customers. Personally, I strive to give 110% to every customer and I expect the people I do business with to do the same. Because Trust is the name of the game. If you’re advisor gives you the impression they’re putting 110% into you, ask yourself, are you in their top 20%, or do they bring that dedication to every table.

24

Jun 15

Businesses today have to manage a lot of risk. When it comes to technology, the risks are vast and can be difficult to calculate. The effectiveness of a security or disaster recovery solution can be especially hard to calculate. How do you know if you have enough redundancy and tight enough security controls to keep your business safe? Until something happens, you really don’t know. And then when it does, of course, it’s too late.

There are several ways to manage risk when it comes to technology. A security professional can perform a risk analysis to help you to determine your risk threshold, or the balance between mitigation and acceptance. This is also referred to as risk ‘appetite’ or ‘tolerance’.

Risk Avoidance – Often the risk to too great and it’s best to hold off on the solution until the risk can be mitigated. The risk analysis will tell you if you should avoid the solution or mitigate the risk.

Risk Acceptance – Sometimes, a risk is accepted and the organization decides to roll the dice and hope nothing happens. Again, this is not always a bad decision, the risk analysis will help you determine that. You’ll need to review your risk threshold and the mitigation costs so you don’t create more vulnerability than you’re comfortable with.

Risk Mitigation – Anytime a risk assessment is performed, mitigation costs should accompany it. The cost of mitigation should be considered anytime a vulnerability is discovered.

Risk Transference – One of the better benefits of Cloud Computing and Managed Services is that it often allows you to transfer the risk to another party. The feasibility of this boils down to the contract. There should be a Service Level Agreement (SLA) in place that indicates where the provider’s responsibility begins and ends and where their liability ends. This will help you to uncover how much risk has been transferred to the other party and how much you should still be worried about.

Qualitative vs Quantitative Risk Assessment

Information security professionals will generally perform risk assessments as either one of these. A Qualitative Risk Assessment is a more general version where risks and vulnerabilities are qualified as high, medium and low risk. There isn’t a lot of numbers involved in a Qualitative Risk Assessment. It’s more of a lower cost solution to help you define your current posture.

For a detailed risk assessment where dollar amounts are assigned to each component, consider a Quantitative Risk Assessment. In this type of assessment, risks are calculated down to a specific number. There is a lot of math that goes into this so it can be a rather expensive task. Security professionals will calculate the following factors:

Single Loss Expectancy (SLE) – is the cost a single incident will cost if it occurs

Annual Rate of Occurance (ARO) – how many times an asset was lost due to the risk

Annualized Loss Expectancy (ALE) – annual anticipated loss due to the risk; this is calculated by multiplying the SLE by the ARO

Exposure Factor – a number calculated by how much loss could incur. For example if it’s determined that a building would burn halfway through on average if it catches on fire, the exposure factor would be 0.5 or 50%

Safeguard Value – this equates to how much you’re willing to spend to mitigate a specific risk

There are several formulas used to calculate the values above and define a risk tolerance. I won’t go into all of them since that’s a book all on its own. If you’re dying of curiosity, you can read all 495 pages of The Security Risk Assessment Handbook. For now, just know that there are two different kinds of risk assessments, and best of all, there are trusted companies to help you perform one. Ideally, every company should at least have a Qualitative Risk Assessment performed.

Jun 15

“Cloud Computing” has got to be the most misunderstood term since the technological revolution began. Not to mention all the sub-terms and acronyms that go with it.

With all these different flavors of computing, how a business leader know which one to pursue?

The good news is, you don’t have to. All you need to do is adequately define what your real requirements are and find the service that meet those needs. A Cloud Consultant can help.

A business computing environment can be broken down to three parts. Processes, Data, & Services. Applications align with your business processes, store & retrieve data then deliver it to the user through a service. The questions you need to ask yourself are:

How is my data stored?

Are the processes aligned with my business?

How fast & reliable should the service be?

A Cloud Consultant should ask you some critical questions to help you define requirements. Do you care where you data is stored and how secure it is? Are your business processes well defined and are they efficient? How much downtime and delay can your business handle?

Knowing these questions will help the consultant find the best services for your business. A good consultant will address these issues before getting into cost.

Speaking of cost. The draw to Cloud Computing isn’t always that it’s cheaper, though that’s often the case. The real reward comes in the fact that the costs are predictable and scale up and down with utilization. With the right set of services, the costs will be more predictable and help drive down your bottom line.

Internal solutions usually start with a costly investment in hardware, software, services & infrastructure. These costs generate negative value when they’re fist deployed. The value doesn’t come until the utilization of the services hits a certain threshold. Once the business starts using the solution, there’s a brief value add and the investment pays off.

Eventually the utilization will out live the capacity of the solution, and upgrades will be required. What happens then? Another large investment. The costs of upgrading, migrating and shutting down the old systems come in to play and now it’s even longer before you recuperate the costs.

In contrast, a solution “As A Service” doesn’t usually require a lot of up front costs. A monthly fee is applied based on utilization so that the costs will scale with the value the solution provides. As your organization uses the service, the costs will rise. If the service doesn’t add value and it’s used less, the costs go down. It’s much easier to retire a service and the upgrades are handled by someone else.

CBC Solutions is a product agnostic organization that specializes in defining the business requirements and aligning solutions up that meet those needs with a predictable cost model with verifiable efficiency metrics.

24

Jun 15

Almost every survey regarding moving an enterprise to the cloud shows “Security” as the top concern by most business leaders. It’s important to note, that the “Cloud” can only be as secure as the provider makes it. Some cloud providers are exemplary at providing a secure network, some are not. The right cloud provider is going to operate their network with a much higher level of security that most enterprises, but it’s not good practice to assume they are doing so. In order to find out how secure you provider is, it’s important to ask the right questions.

It’s not enough to trust that your data is secure just because your vendor says it is. Read through your contract in detail. It’s also a good idea to get a legal review of the contract, preferably before it’s signed to make sure you know where your liability ends and the providers begins. Your provider should be able to answer these 5 questions

1. Who has access to my data and how is that access managed?
This is important. The provider will always have access to some form of the data. It has to. The question is, does the provider maintain a good security practice around the management of that data and how is access governed withing the providers network?

Good answers to expect:‘We have limited access by only key individuals, security is managed by a rigorous access control and auditing program’

Possible warning signs: ‘We have no access to your data’; ‘We are not responsible for data security

2. What screening methods are involved in hiring staff members and vendors?Service providers of every type should have a process to make sure that their staff members and vendors all pass a rigorous security screening which includes background checks to make sure they’re trustworthy.

Good answers to expect: ‘We have a detailed screening process that all employees must pass before they’re able to work here‘

3. How can I report a possible security breach and what is the expected response time?
The answer to this question should be very clear. Furthermore, the process should be documented and easily accessible. Your staff members should be able to know what to do in an emergency.

Good answers to expect: ‘Call this number to speak to a support representative immediately‘

Possible warning signs: ‘Submit a ticket by email or web form, your inquiry will be responded to within one business day‘

4. Do you have a security policy and is it available to customers?
This is a bit of a trick question. Security policies should be company confidential. If a provider is too willing to give you information about their security practices, that could indicate irresponsibility on their part. They should be able to provide a list of security policies and the table of contents, but not the policy itself. Some providers will be able to even provide certifications based on SSAE, PCI or SOX audits.

Good answers to expect: ‘We have internal, confidential polices, but we can provide limited disclosure on what those policies contain‘

Possible warning signs: ‘Yes, we can provide you with all our security documents‘

Even worse answer: ‘We have a policy, but it’s not in writing‘

5. What security related certifications does your organization own?
There are a lot of security certification out there for solution providers. Sarbanes Oxley is one, SSAE 16 is one that applies to datacenters specifically; there are 3 types, 1, 2 & 3. Having all three means the facility has undergone a very strict audit that happens once a year in order for them to keep their certification.